Each of the three claimants were involved in road traffic accidents and instructed a firm of solicitors to claim damages for personal injuries in the County Court. The personal injury claims of the second claimant, a child, and the third claimant arising from the same accident were settled, while the first claimant’s claim remained ongoing. Meanwhile 18 insurers, which were the substantive or potential defendants to a large number of road traffic claims brought by individuals represented by the firm, became concerned about some unusual features of the claims including the high proportion of claims for damages for psychological injury with a prognosis of significant duration relying on the expert evidence of the same psychiatrist, which raised suspicion of exaggeration and possibly fraud. They instructed their own solicitors who reviewed the data in relation to the claims and prepared a spreadsheet setting out the name of the individuals making the claims, whether they were under 16, dates of any medical examinations, whether there had been a referral to a psychiatrist/psychologist and the diagnosis and prognosis if applicable, without any redaction or use of pseudonyms. The intention was that the spreadsheet, together with a witness statement prepared by the insurers’ solicitors analysing the data (“the evidence”) would be relied upon in various personal injury proceedings unrelated to the claimants, in support of the insurers’ cases that the claims were by nature fundamentally dishonest. Although the insurers’ solicitors subsequently pseudonymised the evidence in the spreadsheet, the claimants nonetheless brought proceedings against them under Parliament and Council Regulation (EU) No 2016/679 as retained following the United Kingdom’s exit from the European Union (“the GDPR”) contending, inter alia, that the processing of their personal data in the evidence, for use in proceedings to which the claimants were not parties, was contrary to articles 5(1), 6 and 9 of the GDPR.
On the claim—
Held, claim dismissed. While the claimants had not given their consent to the data processing in question, the insurers’ solicitors had undertaken it for the legitimate purpose of using the evidence in support of applications by its clients to establish exaggeration or fundamental dishonesty in the personal injury proceedings, acting in compliance with its obligation to act on its clients’ instructions, in its clients’ best interests as well as in the public interest in ensuring the proper administration of justice, and for the purposes of the legitimate interests of its clients. For practical reasons, the use of full name of the individuals was required both to identify the exact person and for clarity and reliability of the data, and in any event the claimants’ solicitors would request such details for verification purposes. The data processing, including the use of the claimants’ names, was therefore necessary for the pursuit of the legitimate objectives of the insurers’ solicitors at the stage of filing and serving the evidence and was lawful for the purposes of article 6(1) of the GDPR. Further, since the processing in issue related to data provided by the claimants with a view to commencing personal injury claims before the court, the claimants would reasonably have expected the data, including special category data for article 9 purposes, to be disclosed in open court, or at least to the lawyers acting for the insurers, and for that information then to be investigated and analysed, with a view to any potential defence. On that basis, and balanced against the limited scope of the processing (disclosure only to the court and to the claimants’ solicitors, and subsequently subject to pseudonymisation), the interests or fundamental freedoms of the claimants did not take precedence over the legitimate interest of the insurers in putting the data contained within the evidence before the court to support pleas of fundamental dishonesty in the County Court proceedings. That conclusion was not displaced by the fact that the evidence included data relating to a child and data about health which fell within the special categories of personal data under article 9 of the GDPR. The processing was therefore proportionate for the identified purposes. Moreover, bearing in mind (i) that one of the claimants was a child and that, for each claimant, the evidence included special category personal data, (ii) that there was a likely disparity in resources between the claimants and the insurers, but also (iii) that the claimants had not been deceived or misled by the insurers’ solicitors, being aware that information disclosed in potential litigation would be the subject of scrutiny and investigation by the lawyers acting for the insurers and would be utilised in open court proceedings, (iv) that the impact of the processing on the interests of the claimants was no more than minimal given the limited nature of the disclosure, and (v) that the processing and did not subject the claimants to an unjustified detriment given that it was undertaken for lawful purposes and was necessary and proportionate for those purposes, in all the circumstances the processing was fair and transparent. The requirements of data and storage minimisation, and of integrity and confidentiality, were also met given that the insurers’ solicitors had duly pseudonymised the information at the point that became possible, to allow the data subjects referenced in the evidence to be identified by alternative means without the use of their names. Accordingly, the processing complied with the data processing principles in article 5(1) and was lawful (paras 81, 82, 88, 91–93, 96, 97, 100–105, 108, 109, 112).
Richard Hanstock (instructed by Ersan & Co Solicitors) for the claimants.
Robin Hopkins (instructed by Clyde & Co LLP) for the insurers’ solicitors.